[go: up one dir, main page]

WO2008034090A1 - Method and system for one time password based authentication and integrated remote access - Google Patents

Method and system for one time password based authentication and integrated remote access Download PDF

Info

Publication number
WO2008034090A1
WO2008034090A1 PCT/US2007/078544 US2007078544W WO2008034090A1 WO 2008034090 A1 WO2008034090 A1 WO 2008034090A1 US 2007078544 W US2007078544 W US 2007078544W WO 2008034090 A1 WO2008034090 A1 WO 2008034090A1
Authority
WO
WIPO (PCT)
Prior art keywords
otp
client
user
domain
tgt
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2007/078544
Other languages
French (fr)
Inventor
Jameel Syed
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NETWORK TECHNOLOGIES Ltd
Schlumberger Canada Ltd
Services Petroliers Schlumberger SA
Original Assignee
NETWORK TECHNOLOGIES Ltd
Schlumberger Canada Ltd
Services Petroliers Schlumberger SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NETWORK TECHNOLOGIES Ltd, Schlumberger Canada Ltd, Services Petroliers Schlumberger SA filed Critical NETWORK TECHNOLOGIES Ltd
Publication of WO2008034090A1 publication Critical patent/WO2008034090A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords

Definitions

  • Kerberos is a network authentication protocol that is designed to provide strong authentication for client/server applications by using secret-key cryptography. Most commonly, Kerberos is used as the underlying authentication protocol for the Windows ® operating system. Kerberos authentication is a single sign-on protocol that typically involves three entities: a Keys Distribution Center (KDC), a client (i.e., a user), and the server with the desired service for which access is requested by the client.
  • KDC Keys Distribution Center
  • the KDC is a Kerberos server that stores keys associated with multiple servers and clients.
  • the KDC is installed as part of the domain controller and performs two service functions: the Authentication Service (AS) and the Ticket- Granting Service (TGS).
  • TGT ticket granting ticket
  • the client can request other short-term keys or session keys for communication with one or more servers. Session keys are requested using the already obtained TGT.
  • the client logs on to a workstation (e.g., using static passwords, smart card credentials, etc.). The client is then prompted to contact the KDC, which generates the TGT using the TGS after authenticating the client's log on credentials.
  • the certificate stored on the smart card may be extracted locally and used to generate a TGT request, and the TGT request is subsequently sent to the KDC.
  • the KDC provides the TGT to the client upon validation of the smart card certificate. Once successfully authenticated, the user is granted the TGT, which is valid for the local domain.
  • the client's password is randomized and the client has no control over the password.
  • the TGT obtained from the KDC is typically cached on the local machine in volatile memory space and used to request sessions with services throughout the network.
  • the client authentication with the KDC can take place using any authentication scheme, such as static passwords, PKI credentials, etc.
  • the KDC After establishing trust with the KDC, the KDC releases the secret keys associated with the server and provides the secret keys to the client for establishing a session between the client and the server. Further, clients can obtain access to servers on different domains using the transitive properties between the different domains.
  • the transitive property states that if Domain A has established trust with Domain B, and Domain B has established trust with Domain C, then Domain A has automatically established trust to Domain C.
  • a client can communicate with a server in a different domain. Initially, the client uses the TGS service of the KDC located in Domain A to obtain a referral ticket for a second KDC located in Domain B. Subsequently, the referral ticket with the TGS service on the KDC in Domain B is used to obtain a second referral ticket for Domain C.
  • the second referral ticket is used with the TGS service on the KDC for Domain C to obtain a session ticket for the server in Domain C.
  • a client may attempt to log on (using smart card credentials) to a remote terminal server.
  • some of the layers of the stack that are used to perform the extraction and authentication of the smart card certificate are located on the terminal server, while other layers of the stack are located on the local client machine. In some cases, this may cause delays in the log on and subsequent unlocking of a user session.
  • the invention relates to a system for client authentication using a one time password (OTP), comprising a client configured to request access to an application executing on an internal corporate network, and transmit the OTP and a user name associated with a user to an OTP keys distribution center (KDC), wherein the OTP is used to authenticate the user to the internal corporate network, and the OTP KDC configured to receive the OTP from the client, and issue an inter-domain key and a ticket-granting-ticket (TGT) to the client upon validation of the OTP, wherein the inter-domain key and the TGT are used to authenticate the client and grant access to the application.
  • OTP OTP keys distribution center
  • TGT ticket-granting-ticket
  • the invention relates to a method for client authentication using a one time password (OTP), comprising receiving the OTP from a client, wherein the OTP is used to authenticate a user to the internal corporate network, validating the OTP, issuing an inter-domain key and a ticket-granting-ticket (TGT) to the client upon validation of the OTP, requesting a service ticket using the TGT and the inter-domain key, and establishing communication with a corporate server executing an application on the internal coiporate network using the service ticket.
  • OTP one time password
  • the invention in general, in one aspect, relates to a computer system, comprising a processor, a memory, a storage device, and software instruction stored in the memory for enabling the computer system under control of the processor to receive the OTP from a client, wherein the OTP is used to authenticate a user to the internal corporate network, validate the OTP, issue an inter- domain key and a ticket-granting- ticket (TGT) to the client upon validation of the OTP, request a service ticket using the TGT and the inter- domain key, and establish communication with a corporate server executing an application on the internal corporate network using the service ticket.
  • TGT ticket-granting- ticket
  • the invention relates to a method for client authentication using an authentication credential, comprising receiving the authentication credential associated with a user from a client, wherein the authentication credential is used to authenticate the user to the internal corporate network, validating the authentication credential, issuing an inter- domain key and a ticket- granting-ticket (TGT) to the client upon validation of the authentication credential, requesting a service ticket using the TGT and the inter-domain key, and establishing communication with a corporate server executing an application on the internal corporate network using the service ticket.
  • TGT ticket- granting-ticket
  • Figure 1 depicts a system for client authentication in accordance with one or more embodiments of the invention.
  • Figure 2 depicts a flow chart for client authentication in accordance with one or more embodiments of the invention.
  • Figure 3 depicts a flow diagram for client authentication in accordance with one or more embodiments of the invention.
  • Figure 4 depicts a computer system in accordance with one or more embodiments of the invention.
  • embodiments of the invention provide a method and system for client authentication using a one time password (OTP).
  • OTP one time password
  • embodiments of the invention relate to obtaining a ticket-granting-ticket (TGT) from a keys distribution center (KDC) using an OTP.
  • TGT ticket-granting-ticket
  • KDC keys distribution center
  • one or more embodiments of the invention use cross-domain authentication and a Kerberos server that supports the use of OTPs to provide a client with access to a corporate domain server.
  • Figure 1 depicts a system for client authentication using OTPs in accordance with one or more embodiments of the invention. Specifically, Figure 1 depicts a client (102) associated with a user (103), a local KDC (104), and a corporate server (105) located in a corporate domain (100). Further, Figure 1 depicts a validation server (106) and an OTP KDC (108), located in Domain 2 (110). Each of the aforementioned components of Figure 1 is explained below.
  • the present invention involves authentication of a user for access to a corporate network using an OTP.
  • the OTP is a randomized password that is constantly changing and is unknown to the user.
  • the OTP is significantly small in size.
  • OTPs may be generated in multiple ways. For example, an OTP may be generated using a mathematical algorithm that generates a new password based on the previous password. Alternatively, an OTP may be based on time-synchronization between the authentication server and the client/device providing the OTP.
  • a new OTP may be generated using a mathematical algorithm based on a shared key between the authentication server and the client/device that provides the OTP and a counter independent of the previous password.
  • a mathematical algorithm based on a shared key between the authentication server and the client/device that provides the OTP and a counter independent of the previous password.
  • the OTP is generated using user smart card credentials.
  • the OTP may be generated using a smart card and/or a smart card reader.
  • an intelligent smart card may include the logic (i.e., a software application) configured to generate an OTP when the user inserts the smart card into a standard smart card reader.
  • the smart card also includes a secret key, which is shared with the backend authentication server.
  • the software application for generating an OTP may be stored within a smart card reader.
  • the smart card reader is an intelligent smart card reader that provides the user with an OTP when the user inserts a standard smart card into the intelligent smart card reader.
  • the user's smart card only includes a secret key shared with the backend authentication server.
  • the software application for generating an OTP may be located on the client that the user is using to log onto the corporate server or corporate network.
  • the software application for generating an OTP may be downloaded from a website accessed from a client. For example, suppose the user is using a third-party kiosk at a remote location to log into an internal corporate network. In this case, the user may navigate to a particular website using the kiosk, download the software application onto the kiosk, insert a smartcard or plug a smart card reader into the kiosk, and subsequently obtain an OTP from the client executing the software application.
  • the user may carry an OTP device capable of generating an OTP when a button is pressed on the device.
  • OTP device capable of generating an OTP when a button is pressed on the device.
  • Such a device may be any handheld device, such as a slim card that includes OTP generating logic, etc.
  • a user (103) may be a real user (e.g., an individual employee associated with the corporation represented by the corporate domain (100), a consumer, etc.), or a virtual user (i.e., a batch user) that uses a client (102) to gain access to one or more services and/or resources (107) provided by the corporate server (105).
  • the client (102) may be a kiosk, a computer, a hand-held device (e.g., a mobile phone, a personal digital assistant, a mobile media device, etc.), a thin client, or any other computing device that the user (103) uses to log into the corporate domain.
  • the user (103) accesses the corporate server (105) via the client (102).
  • a user may be an employee associated with a corporation who is traveling on business and needs to access the corporate server ( 105) from a kiosk (i.e., the client) at an airport.
  • the user (103) may access the corporate server (105) via a remote terminal server (not shown).
  • the present invention may apply to one or more different types of client (102) systems.
  • client 102
  • an employee may be located at a corporate site (e.g., at work) and may wish to log into the coiporate network using a local corporate machine.
  • the client may be the local corporate computer connected to the internal corporate network.
  • a user may log into a terminal server while located at the corporate site.
  • an employee may wish to log into a remote terminal server located at a remote corporate site.
  • an employee located on the corporate site in Austin, Texas may wish to log into a remote corporate server in South Africa.
  • the client may be the remote terminal server.
  • the client may be a handheld device, such as a media device, a mobile phone, a personal digital assistant, a kiosk, a gaming device, or any other portable/handheld electronic device with which the user may attempt to log into a corporate network.
  • the employee may be located remotely from a corporate site, e.g., at an airport kiosk, at home, etc., and may wish to access the corporate network using the kiosk or handheld device.
  • the client is depicted as being located in the corporate domain in Figure 1, those skilled in the art will appreciate that the client may be located in a different domain than the corporate domain.
  • embodiments of the invention may apply equally to a non-employee, such as a consumer.
  • a consumer of eBay may use embodiments of the invention to authenticate to eBay back-end services using a smart card or an OTP authentication.
  • the corporate server (105) is a server associated with a corporation, which the user is attempting to access using OTP authentication. The user may wish to access resources and/or services (107) provided by the corporate server (105).
  • the corporate server (105) may be a web server, a Lightweight Directory Access Protocol (LDAP) server, an exchange server for access to corporate e-mail, or any other type of server associated with a corporation.
  • LDAP Lightweight Directory Access Protocol
  • the local KDC ( 104) may be a Kerberos server, which includes functionality to store keys associated with multiple clients and corporate servers. Further, the KDC ( 104) provides the client (102) with short- term/session keys (109) used to establish a session and communicate with the corporate server (105). In one embodiment of the invention, the KDC (104) provides the client (102) with short-term/session keys (109) to communicate with the corporate server (105) upon receiving a valid TGT from the client (102).
  • the client (102) obtains a
  • the OTP KDC (108) may be an open-source KDC that is modified to support OTP functionality. That is, the OTP KDC (108) is a Kerberos server that is modified to support OTP authentication of a user. More specifically, the OTP KDC (108) is a server that works with the underlying structure of the corporate server system. For example, if the corporate structure uses Active Directory as the underlying Windows ® -based structure, then the OTP KDC (108) works together with the Active Directory infrastructure to provide corporate domain-level authentication of a user. Further, the OTP KDC (108) is located in a different domain than the client (102) and the corporate server (105). In Figure 1, the OTP KDC (108) is located in Domain 2 (110).
  • the OTP KDC (108) is configured to receive the OTP and user credentials from the client (102).
  • the OTP KDC (108) is operatively connected to a validation server (106).
  • the validation server (106) includes functionality to validate the OTP received by the OTP KDC (108).
  • the validation server validates the OTP using a challenge-response protocol, in which the protocol presents a question and waits for a correct answer to validate a particular piece of information.
  • a challenge-response protocol may include a standard Remote Authentication Dial-In User Service (RADIUS) protocol, a secure sockets layer (SSL) protocol, etc.
  • RADIUS Remote Authentication Dial-In User Service
  • SSL secure sockets layer
  • the OTP KDC includes functionality to issue an inter-domain key and a TGT (111) to the client.
  • the inter-domain key is a key that is used to encrypt the TGT.
  • the inter-domain key functions as the vehicle of trust between different domains. For example, if a TGT issued by the OTP KDC (108) that is encrypted by the inter-domain key can be decrypted using another inter- domain key located in a different domain, then this indicates that trust is established between the two domains.
  • the TGT is a long-term ticket that is used to obtain service tickets/session keys (109) from the local KDC (104).
  • FIG. 2 depicts a flow chart describing a process for log on authentication using a one time password in accordance with one or more embodiments of the invention.
  • an OTP and user credentials are received from a client (Step 200).
  • the OTP may be obtained by a user that is associated with the client using a smart card and a smart card reader or using a software application that is configured to generate an OTP based on user credentials.
  • User credentials sent by the client may include the OTP, a user name, and a domain name.
  • the OTP and user credentials are validated (Step 202).
  • an inter- domain key and a TGT (111) are issued to the client (Step 204).
  • the client requests a session key from the local KDC using the TGT (Step 206). That is, the client provides the TGT to the local KDC, and the KDC uses the TGT to issue a session key to the client.
  • the client uses the inter-domain key to decrypt the TGT before providing the TGT to the local KDC.
  • the client may send both the inter-domain key and the TGT to the local KDC, which performs the decryption of the TGT using the inter-domain key.
  • the client uses the session key ( 109) to initiate communication and establish a session with a corporate server (Step 208).
  • the aforementioned process may be used for gateway authentication.
  • Gateway authentication applies when the user has access to a third-party network. Using the third-party network, the user wishes to gain access resources/services on a corporate domain. For example, a user may be using an affiliated companies' network, from which the user wishes to access resources/services on a corporate domain.
  • the gateway e.g., a router, a software application, etc.
  • the gateway challenges the user's OTP and other credentials such as a username and domain information.
  • the gateway is modified to support the recognition of an OTP from the user.
  • the web page associated with the gateway that is initially presented to the user when the user attempts to log on from the third-party network, prompts the user for a domain name, an OTP, and a username. Subsequently, the gateway requests authentication of the user from the backend authentication server.
  • the gateway may obtain the OTP and credentials directly from the smart card.
  • the gateway may subsequently obtain the OTP and the user credentials from the unlocked smart card.
  • the gateway acts as a Kerberos proxy agent between the user and any corporate resource/service the user is attempting to access.
  • a corporate resource/service may be a service hosted on an Internet Information Service (IIS) web server or a Citrix terminal server.
  • IIS Internet Information Service
  • OTP authentication may be used to perform functionalities in addition to log on authentication.
  • an OTP may be used for unlocking, offline authentication, and/or password caching.
  • Unlocking is the process by which a user's workstation is made secure for short periods of time, for example, when a user leaves his/her workstation for a short period of time.
  • the OTP may be used to unlock the workstation upon the user's return.
  • Offline authentication is the process by which a user logs on to his/her workstation while being disconnected from a network.
  • the OTP may be used to log on the user while the user is offline.
  • offline authentication requires user credentials to be cached locally on the workstation.
  • the user obtains an OTP from a device such as a smart card or another type of OTP generating device, e.g., an OTP based token.
  • a user may obtain an OTP using a display card (e.g., a credit card looking plastic device) that displays generated OTPs on the face of the card.
  • the user is required to provide a personal identification number (PIN) (or some other type of unique identifier) to generate an OTP.
  • PIN personal identification number
  • the smart card may be enabled with an OTP application for generating an OTP.
  • the smart card may include a private memory space with a shared key and a counter stored in the private memory space.
  • the OTP application uses the PIN to unlock the shared key and the counter from the private memory space.
  • the OTP application then executes the algorithm and returns the next OTP to the user.
  • the shared key and the counter are embedded into the circuitry of the token/display card, and thus, the OTP can be displayed to the user by the click of a button on the token/display card.
  • the user provides the OTP and a user name when logging onto an authenticating entity on the client device.
  • the authenticating entity may be a dialog box that is displayed on the client device which prompts the user for a user name.
  • the authenticating entity may be Graphical Identification and Authentication (GINA).
  • the authenticating entity may be on the local client device or a terminal server, depending on what type of client the user is authenticating from. In either case, the authenticating entity is modified to support OTP authentication, which improves the latency in authentication of the user.
  • the OTP credential extraction from the smart card is handled in fewer calls between the authenticating entity and the smart card logic.
  • the aforementioned transaction calls are eliminated because the OTP is generated locally by a click of a button on the device.
  • Figure 3 depicts an example flow diagram in accordance with one or more embodiments of the invention. Specifically, the flow diagram provides a detailed overview of client authentication to an internal corporate network in accordance with one or more embodiments of the invention. Figure 3 depicts five entities involved in the authentication process: a user (220), a virtual private network (VPN) gateway (222), Active Directory (224), OTP KDC (226), and one or more internal corporate applications (228) to which the user is ultimately attempting to gain access.
  • VPN virtual private network
  • OTP KDC OTP KDC
  • the credentials provided by the user (220) are an OTP and a user name.
  • the user may also indicate which internal corporate application the user wishes to access.
  • the VPN gateway then obtains the corporate internal IP address and transmits the IP address to the user (220) (ST232). More specifically, the VPN gateway (222) provides the user with two IP addresses - a local IP address corresponding to the user's internet service provider (ISP), and a second internal network IP address corresponding to the internal corporate network the user is attempting to access.
  • ISP internet service provider
  • the VPN gateway (222) sends the OTP and user name provided by the user (220) to the OTP KDC (226) (ST234).
  • the OTP KDC (226) then verifies the OTP and user name and if the user is one that is permitted access to the internal corporate network, the OTP KDC (226) issues a TGT and an inter-domain ticket and transmits the TGT and inter-domain ticket to the VPN gateway (222) (ST 236).
  • the VPN gateway (222) subsequently caches the TGT and inter-domain ticket granted by the OTP KDC (226) in a local cache (238).
  • the TGT issued by the OTP KDC (226) may be associated with a duration of time, e.g., a few days, a week, etc., and may be cached by the VPN gateway until the TGT duration expires.
  • the corporate application (228) to which the user requested access issues an authentication request (ST240).
  • the authentication request is sent to the VPN gateway (222), and indicates to the VPN gateway (222) that the internal corporate application (228) requires a service ticket for access to the application to be granted to a permitted user.
  • the authentication request is issued by the internal corporate application (228) via a known protocol.
  • the VPN gateway (222) may transmit the cached TGT and inter-domain ticket, along with request for a service ticket, to the Active Directory (224) server (ST242).
  • the server from which a service ticket is requested by the VPN gateway (222) may be a Kerberos-compliant server other than Active Directory.
  • the server may be an MIT Kerberos server.
  • Active Directory (224) subsequently returns a service ticket in response to the request transmitted by the VPN gateway (222) (ST244).
  • the service ticket may also be associated with a duration, typically eight hours, although the duration of the service ticket may be any length of time.
  • the service ticket When the service ticket is received by the VPN gateway (222), the service ticket may be cached in the local cache (238). Finally, the service ticket is sent by the VPN gateway (222) to the internal network application that the user desires to access (ST246), and access to the internal corporate application is granted to the user (ST248).
  • embodiments of the invention provide a single sign-on experience for the user. That is, once the user sends an OTP and a user name to the VPN gateway, the remainder of the process to authenticate the user is transparent to the user. Furthermore, in one or more embodiments of the invention, the present invention provides integrated remote access. Specifically, a user needs to carry only one hand-held device (e.g., a smart card capable of providing an OTP, an OTP generating device, etc.) to obtain inter-domain level authentication and to gain access to an internal corporate network. Those skilled in the art will appreciate that the user may carry more than one device if the user desires. For example, the user may carry both an OTP generating device and a smart card.
  • a hand-held device e.g., a smart card capable of providing an OTP, an OTP generating device, etc.
  • the invention may be implemented on virtually any type of computing device regardless of the platform being used. For example, as shown in Figure
  • a computer system includes a processor (302), associated memory
  • the computer (300) may also include input means, such as a keyboard (308) and a mouse (310), and output means, such as a monitor (312).
  • the computer system (300) is connected to a local area network (LAN) or a wide area network (e.g., the Internet) (not shown) via a network interface connection (not shown).
  • LAN local area network
  • a wide area network e.g., the Internet
  • one or more elements of the aforementioned computer system (300) may be located at a remote location and connected to the other elements over a network.
  • the invention may be implemented on a distributed system having a plurality of nodes, where each portion of the invention (e.g., the client, the open-source KDC Kerberos server, the validation server, etc.) may be located on a different node within the distributed system.
  • the node corresponds to a computer system.
  • the node may correspond to a processor with associated physical memory.
  • the node may alternatively correspond to a processor with shared memory and/or resources.
  • software instructions to perform embodiments of the invention may be stored on a computer readable medium such as a compact disc (CD), a diskette, a tape, a file, or any other computer readable storage device.
  • Embodiments of the invention provide a method and system for using a one time password (OTP) as an alternate type of credential for client log on and authentication to an internal corporate network.
  • OTP one time password
  • a user is not required to keep track of passwords or perform password maintenance to obtain access to a corporate server from a remote location.
  • the OTP may be used as an alternative to certificate authentication, for example. Because OTPs are smaller in size than smart card certificates, they are ideally suited for high-latency network authentication and for remote access.
  • OTPs are smaller in size than smart card certificates, they are ideally suited for high-latency network authentication and for remote access.
  • embodiments of the invention provide a method of leveraging one time password authentication with existing corporate structures that do not provide any native flexible authentication mechanisms, and thereby do not support different types of authentication credentials.
  • the Active Directory Windows infrastructure does not support one time password or any other authentication credential.
  • a user can employ smart card log on and an OTP to authenticate to a corporate environment via the Kerberos protocol. Further, embodiments of the invention support smart card log on for a user, while improving the time required to authenticate using smart card authentication with respect to remote services. Moreover, embodiments of the invention go beyond network-level authentication to provide domain-level authentication, such that a user presenting the right set of credentials can access resources which require domain-level credentials in addition to the network- level access.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A system for client authentication using a one time password (OTP) including a client configured to request access to an application executing on an internal corporate network, and transmit the OTP and a user name associated with a user to an OTP keys distribution center (KDC), wherein the OTP is used to authenticate the user to the internal corporate network, and the OTP KDC configured to receive the OTP from the client, and issue an inter-domain key and a ticket-granting-ticket (TGT) to the client upon validation of the OTP, wherein the inter-domain key and the TGT are used to authenticate the client and grant access to the application.

Description

METHOD AND SYSTEM FOR ONE TIME PASSWORD BASED AUTHENTICATION AND INTEGRATED REMOTE
ACCESS
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] This application claims benefit of U.S. Provisional Patent Application
No. 60/844,601, filed on September 14, 2006, and entitled "Method and System for One Time Password and Smart Card Authentication," in the name of the same inventor as the present application.
[0002] This application claims benefit of U.S. Non-Provisional Patent
Application No. 11/855,017, filed September 13, 2007, entitled "Method and System for One Time Password Based Authentication and Integrated Remote Access," in the name of the same inventor as the present application.
BACKGROUND
[0003] Kerberos is a network authentication protocol that is designed to provide strong authentication for client/server applications by using secret-key cryptography. Most commonly, Kerberos is used as the underlying authentication protocol for the Windows® operating system. Kerberos authentication is a single sign-on protocol that typically involves three entities: a Keys Distribution Center (KDC), a client (i.e., a user), and the server with the desired service for which access is requested by the client. The KDC is a Kerberos server that stores keys associated with multiple servers and clients. The KDC is installed as part of the domain controller and performs two service functions: the Authentication Service (AS) and the Ticket- Granting Service (TGS).
[0004] When initially logging on to a network, clients must negotiate access by providing a long-term key (also called a ticket granting ticket (TGT)) in order to be verified by the AS portion of a KDC within their domain. Subsequently, the client can request other short-term keys or session keys for communication with one or more servers. Session keys are requested using the already obtained TGT. To obtain the TGT, the client logs on to a workstation (e.g., using static passwords, smart card credentials, etc.). The client is then prompted to contact the KDC, which generates the TGT using the TGS after authenticating the client's log on credentials. In the case where a client is using smart card credentials, the certificate stored on the smart card may be extracted locally and used to generate a TGT request, and the TGT request is subsequently sent to the KDC. The KDC provides the TGT to the client upon validation of the smart card certificate. Once successfully authenticated, the user is granted the TGT, which is valid for the local domain. When a client uses smart card credentials to authenticate to the KDC, the client's password is randomized and the client has no control over the password. The TGT obtained from the KDC is typically cached on the local machine in volatile memory space and used to request sessions with services throughout the network. The client authentication with the KDC can take place using any authentication scheme, such as static passwords, PKI credentials, etc. After establishing trust with the KDC, the KDC releases the secret keys associated with the server and provides the secret keys to the client for establishing a session between the client and the server. Further, clients can obtain access to servers on different domains using the transitive properties between the different domains. The transitive property states that if Domain A has established trust with Domain B, and Domain B has established trust with Domain C, then Domain A has automatically established trust to Domain C. Using this property, a client can communicate with a server in a different domain. Initially, the client uses the TGS service of the KDC located in Domain A to obtain a referral ticket for a second KDC located in Domain B. Subsequently, the referral ticket with the TGS service on the KDC in Domain B is used to obtain a second referral ticket for Domain C. Then, the second referral ticket is used with the TGS service on the KDC for Domain C to obtain a session ticket for the server in Domain C. [0006] In some instances, a client may attempt to log on (using smart card credentials) to a remote terminal server. In this case, some of the layers of the stack that are used to perform the extraction and authentication of the smart card certificate are located on the terminal server, while other layers of the stack are located on the local client machine. In some cases, this may cause delays in the log on and subsequent unlocking of a user session.
SUMMARY
[0007] In general, in one aspect, the invention relates to a system for client authentication using a one time password (OTP), comprising a client configured to request access to an application executing on an internal corporate network, and transmit the OTP and a user name associated with a user to an OTP keys distribution center (KDC), wherein the OTP is used to authenticate the user to the internal corporate network, and the OTP KDC configured to receive the OTP from the client, and issue an inter-domain key and a ticket-granting-ticket (TGT) to the client upon validation of the OTP, wherein the inter-domain key and the TGT are used to authenticate the client and grant access to the application.
[0008] In general, in one aspect, the invention relates to a method for client authentication using a one time password (OTP), comprising receiving the OTP from a client, wherein the OTP is used to authenticate a user to the internal corporate network, validating the OTP, issuing an inter-domain key and a ticket-granting-ticket (TGT) to the client upon validation of the OTP, requesting a service ticket using the TGT and the inter-domain key, and establishing communication with a corporate server executing an application on the internal coiporate network using the service ticket.
[0009] In general, in one aspect, the invention relates to a computer system, comprising a processor, a memory, a storage device, and software instruction stored in the memory for enabling the computer system under control of the processor to receive the OTP from a client, wherein the OTP is used to authenticate a user to the internal corporate network, validate the OTP, issue an inter- domain key and a ticket-granting- ticket (TGT) to the client upon validation of the OTP, request a service ticket using the TGT and the inter- domain key, and establish communication with a corporate server executing an application on the internal corporate network using the service ticket.
[0010] In general, in one aspect, the invention relates to a method for client authentication using an authentication credential, comprising receiving the authentication credential associated with a user from a client, wherein the authentication credential is used to authenticate the user to the internal corporate network, validating the authentication credential, issuing an inter- domain key and a ticket- granting-ticket (TGT) to the client upon validation of the authentication credential, requesting a service ticket using the TGT and the inter-domain key, and establishing communication with a corporate server executing an application on the internal corporate network using the service ticket.
[0011] Other aspects of the invention will be apparent from the following description and the appended claims.
BRIEF DESCRIPTION OF DRAWINGS
[0012] Figure 1 depicts a system for client authentication in accordance with one or more embodiments of the invention.
[0013] Figure 2 depicts a flow chart for client authentication in accordance with one or more embodiments of the invention.
[0014] Figure 3 depicts a flow diagram for client authentication in accordance with one or more embodiments of the invention.
[0015] Figure 4 depicts a computer system in accordance with one or more embodiments of the invention. DETAILED DESCRIPTION
[0016] Specific embodiments of the invention will now be described in detail with reference to the accompanying figures. Like elements in the various figures are denoted by like reference numerals for consistency.
[0017] In the following detailed description of embodiments of the invention, numerous specific details are set forth in order to provide a more thorough understanding of the invention. However, it will be apparent to one of ordinary skill in the art that the invention may be practiced without these specific details. In other instances, well-known features have not been described in detail to avoid unnecessarily complicating the description.
[0018] In general, embodiments of the invention provide a method and system for client authentication using a one time password (OTP). Specifically, embodiments of the invention relate to obtaining a ticket-granting-ticket (TGT) from a keys distribution center (KDC) using an OTP. More specifically, one or more embodiments of the invention use cross-domain authentication and a Kerberos server that supports the use of OTPs to provide a client with access to a corporate domain server.
[0019] Figure 1 depicts a system for client authentication using OTPs in accordance with one or more embodiments of the invention. Specifically, Figure 1 depicts a client (102) associated with a user (103), a local KDC (104), and a corporate server (105) located in a corporate domain (100). Further, Figure 1 depicts a validation server (106) and an OTP KDC (108), located in Domain 2 (110). Each of the aforementioned components of Figure 1 is explained below.
[0020] As mentioned above, the present invention involves authentication of a user for access to a corporate network using an OTP. In one embodiment of the invention, the OTP is a randomized password that is constantly changing and is unknown to the user. In addition to the random nature of the OTP, the OTP is significantly small in size. OTPs may be generated in multiple ways. For example, an OTP may be generated using a mathematical algorithm that generates a new password based on the previous password. Alternatively, an OTP may be based on time-synchronization between the authentication server and the client/device providing the OTP. In another example, a new OTP may be generated using a mathematical algorithm based on a shared key between the authentication server and the client/device that provides the OTP and a counter independent of the previous password. Those skilled in the art will appreciate that although embodiments of the invention discuss the use of a OTP as the authentication credential to authentication a user, embodiments of the invention may be used to authenticate a user using other authentication credentials, such as biometric authentication credentials, or any other authentication credential that is small in size and can be identified as a unique identifier of a user.
[0021] In one or more embodiments of the invention, the OTP is generated using user smart card credentials. The OTP may be generated using a smart card and/or a smart card reader. For example, in one embodiment of the invention, an intelligent smart card may include the logic (i.e., a software application) configured to generate an OTP when the user inserts the smart card into a standard smart card reader. Along with the application, the smart card also includes a secret key, which is shared with the backend authentication server. Alternatively, in one or more embodiments of the invention, the software application for generating an OTP may be stored within a smart card reader. In this case, the smart card reader is an intelligent smart card reader that provides the user with an OTP when the user inserts a standard smart card into the intelligent smart card reader. In this scenario, the user's smart card only includes a secret key shared with the backend authentication server.
[0022] Those skilled in the art will appreciate that other methods for generating an OTP may exist. For example, the software application for generating an OTP may be located on the client that the user is using to log onto the corporate server or corporate network. Alternatively, in one embodiment of the invention, the software application for generating an OTP may be downloaded from a website accessed from a client. For example, suppose the user is using a third-party kiosk at a remote location to log into an internal corporate network. In this case, the user may navigate to a particular website using the kiosk, download the software application onto the kiosk, insert a smartcard or plug a smart card reader into the kiosk, and subsequently obtain an OTP from the client executing the software application.
[0023] In further embodiments of the invention, the user may carry an OTP device capable of generating an OTP when a button is pressed on the device. Such a device may be any handheld device, such as a slim card that includes OTP generating logic, etc.
[0024] Referring to Figure 1, in one or more embodiments of the invention, a user (103) may be a real user (e.g., an individual employee associated with the corporation represented by the corporate domain (100), a consumer, etc.), or a virtual user (i.e., a batch user) that uses a client (102) to gain access to one or more services and/or resources (107) provided by the corporate server (105). The client (102) may be a kiosk, a computer, a hand-held device (e.g., a mobile phone, a personal digital assistant, a mobile media device, etc.), a thin client, or any other computing device that the user (103) uses to log into the corporate domain. In one embodiment of the invention, the user (103) accesses the corporate server (105) via the client (102). For example, a user may be an employee associated with a corporation who is traveling on business and needs to access the corporate server ( 105) from a kiosk (i.e., the client) at an airport. Alternatively, in one or more embodiments of the invention, the user (103) may access the corporate server (105) via a remote terminal server (not shown).
[0025] In one or more embodiments of the invention, the present invention may apply to one or more different types of client (102) systems. For example, an employee may be located at a corporate site (e.g., at work) and may wish to log into the coiporate network using a local corporate machine. In this case, the client may be the local corporate computer connected to the internal corporate network. Alternatively, in one or more embodiments of the invention, a user may log into a terminal server while located at the corporate site. More specifically, an employee may wish to log into a remote terminal server located at a remote corporate site. For example, an employee located on the corporate site in Austin, Texas, may wish to log into a remote corporate server in South Africa. In this case, the client may be the remote terminal server.
[0026] In other embodiments of the invention, the client may be a handheld device, such as a media device, a mobile phone, a personal digital assistant, a kiosk, a gaming device, or any other portable/handheld electronic device with which the user may attempt to log into a corporate network. In this scenario, the employee may be located remotely from a corporate site, e.g., at an airport kiosk, at home, etc., and may wish to access the corporate network using the kiosk or handheld device. Thus, while the client is depicted as being located in the corporate domain in Figure 1, those skilled in the art will appreciate that the client may be located in a different domain than the corporate domain. Those skilled in the art will appreciate that while the aforementioned examples specify the user as an "employee," embodiments of the invention may apply equally to a non-employee, such as a consumer. For example, in an eBay transaction, a consumer of eBay may use embodiments of the invention to authenticate to eBay back-end services using a smart card or an OTP authentication.
[0027] Further, in one or more embodiments of the invention, the corporate server (105) is a server associated with a corporation, which the user is attempting to access using OTP authentication. The user may wish to access resources and/or services (107) provided by the corporate server (105). The corporate server (105) may be a web server, a Lightweight Directory Access Protocol (LDAP) server, an exchange server for access to corporate e-mail, or any other type of server associated with a corporation.
[0028] As described above, the local KDC ( 104) may be a Kerberos server, which includes functionality to store keys associated with multiple clients and corporate servers. Further, the KDC ( 104) provides the client (102) with short- term/session keys (109) used to establish a session and communicate with the corporate server (105). In one embodiment of the invention, the KDC (104) provides the client (102) with short-term/session keys (109) to communicate with the corporate server (105) upon receiving a valid TGT from the client (102).
[0029] In one or more embodiments of the invention, the client (102) obtains a
TGT from the OTP KDC (108). The OTP KDC (108) may be an open-source KDC that is modified to support OTP functionality. That is, the OTP KDC (108) is a Kerberos server that is modified to support OTP authentication of a user. More specifically, the OTP KDC (108) is a server that works with the underlying structure of the corporate server system. For example, if the corporate structure uses Active Directory as the underlying Windows®-based structure, then the OTP KDC (108) works together with the Active Directory infrastructure to provide corporate domain-level authentication of a user. Further, the OTP KDC (108) is located in a different domain than the client (102) and the corporate server (105). In Figure 1, the OTP KDC (108) is located in Domain 2 (110). In one or more embodiments of the invention, trust is established between the Corporate Domain (100) and Domain 2 (110). Those skilled in the art will appreciate that inter-domain trust is established using methods well known in the art and a discussion of such methods is beyond the scope of the present invention.
[0030] Further, the OTP KDC (108) is configured to receive the OTP and user credentials from the client (102). The OTP KDC (108) is operatively connected to a validation server (106). The validation server (106) includes functionality to validate the OTP received by the OTP KDC (108). In one or more embodiments of the invention, the validation server validates the OTP using a challenge-response protocol, in which the protocol presents a question and waits for a correct answer to validate a particular piece of information. For example, a challenge-response protocol that may be employed by the validation server (106) may include a standard Remote Authentication Dial-In User Service (RADIUS) protocol, a secure sockets layer (SSL) protocol, etc.
[0031] Continuing with Figure 1, the OTP KDC includes functionality to issue an inter-domain key and a TGT (111) to the client. The inter-domain key is a key that is used to encrypt the TGT. Further, the inter-domain key functions as the vehicle of trust between different domains. For example, if a TGT issued by the OTP KDC (108) that is encrypted by the inter-domain key can be decrypted using another inter- domain key located in a different domain, then this indicates that trust is established between the two domains. As described above, the TGT is a long-term ticket that is used to obtain service tickets/session keys (109) from the local KDC (104).
[0032] Figure 2 depicts a flow chart describing a process for log on authentication using a one time password in accordance with one or more embodiments of the invention. Initially, an OTP and user credentials are received from a client (Step 200). As described above, the OTP may be obtained by a user that is associated with the client using a smart card and a smart card reader or using a software application that is configured to generate an OTP based on user credentials. User credentials sent by the client may include the OTP, a user name, and a domain name. Subsequently, the OTP and user credentials are validated (Step 202). Upon validation of the OTP, an inter- domain key and a TGT (111) are issued to the client (Step 204).
[0033] At this stage, the client requests a session key from the local KDC using the TGT (Step 206). That is, the client provides the TGT to the local KDC, and the KDC uses the TGT to issue a session key to the client. In one embodiment of the invention, the client uses the inter-domain key to decrypt the TGT before providing the TGT to the local KDC. Alternatively, the client may send both the inter-domain key and the TGT to the local KDC, which performs the decryption of the TGT using the inter-domain key. Upon receiving the session key (109) from the local KDC, the client uses the session key ( 109) to initiate communication and establish a session with a corporate server (Step 208). Finally, access to resources and/or services provided by the corporate server, such as e-mail functionality, access to internal corporate resources, etc., is obtained via the corporate server (Step 210). In one or more embodiments of the invention, the aforementioned process may be used for gateway authentication. Gateway authentication applies when the user has access to a third-party network. Using the third-party network, the user wishes to gain access resources/services on a corporate domain. For example, a user may be using an affiliated companies' network, from which the user wishes to access resources/services on a corporate domain. In this case, the gateway (e.g., a router, a software application, etc.) associated with the corporate domain, challenges the user's OTP and other credentials such as a username and domain information. More specifically, in one embodiment of the invention, the gateway is modified to support the recognition of an OTP from the user. The web page associated with the gateway that is initially presented to the user when the user attempts to log on from the third-party network, prompts the user for a domain name, an OTP, and a username. Subsequently, the gateway requests authentication of the user from the backend authentication server. Alternatively, in one or more embodiments of the invention, the gateway may obtain the OTP and credentials directly from the smart card. In this case, the user may input a pin number (or any other type of identifier that unlocks the user credentials stored on the smart card, such as a biometric identifier, etc.) unlocking the smart card, and the gateway may subsequently obtain the OTP and the user credentials from the unlocked smart card. Once the user is authenticated, the gateway acts as a Kerberos proxy agent between the user and any corporate resource/service the user is attempting to access. For example, a corporate resource/service may be a service hosted on an Internet Information Service (IIS) web server or a Citrix terminal server. At this stage, from the user's perspective, the user may access any resource/service on the corporate domain without re- authenticating because the gateway acts as a Kerberos proxy agent and takes care of the authentication calls for the resources/services the user attempts to access. [0035] Those skilled in the art will appreciate that OTP authentication may be used to perform functionalities in addition to log on authentication. For example, an OTP may be used for unlocking, offline authentication, and/or password caching. Unlocking is the process by which a user's workstation is made secure for short periods of time, for example, when a user leaves his/her workstation for a short period of time. In this case, when the user locks the workstation (e.g., by pulling out the smart card), the OTP may be used to unlock the workstation upon the user's return. Offline authentication is the process by which a user logs on to his/her workstation while being disconnected from a network. In this scenario, the OTP may be used to log on the user while the user is offline. In one embodiment of the invention, offline authentication requires user credentials to be cached locally on the workstation.
[0036] From the user's perspective, the user obtains an OTP from a device such as a smart card or another type of OTP generating device, e.g., an OTP based token. Alternatively, a user may obtain an OTP using a display card (e.g., a credit card looking plastic device) that displays generated OTPs on the face of the card. In one or more embodiments of the invention, the user is required to provide a personal identification number (PIN) (or some other type of unique identifier) to generate an OTP. In the case of the smart card generated OTP, the smart card may be enabled with an OTP application for generating an OTP. In addition, the smart card may include a private memory space with a shared key and a counter stored in the private memory space. When a user enters a correct PIN, the OTP application uses the PIN to unlock the shared key and the counter from the private memory space. The OTP application then executes the algorithm and returns the next OTP to the user. Alternatively, when an OTP is generated by a token or a display card, the shared key and the counter are embedded into the circuitry of the token/display card, and thus, the OTP can be displayed to the user by the click of a button on the token/display card.
[0037] In one or more embodiments of the invention, the user provides the OTP and a user name when logging onto an authenticating entity on the client device. The authenticating entity may be a dialog box that is displayed on the client device which prompts the user for a user name. For example, in a Windows®-based client system, the authenticating entity may be Graphical Identification and Authentication (GINA). The authenticating entity may be on the local client device or a terminal server, depending on what type of client the user is authenticating from. In either case, the authenticating entity is modified to support OTP authentication, which improves the latency in authentication of the user. In this case where a user uses a smart card to provide the OTP to the authenticating entity, the OTP credential extraction from the smart card is handled in fewer calls between the authenticating entity and the smart card logic. In the case where the OTP is obtained using devices in which the shared key and counter are embedded in the circuitry of the device, the aforementioned transaction calls are eliminated because the OTP is generated locally by a click of a button on the device.
[0038] Figure 3 depicts an example flow diagram in accordance with one or more embodiments of the invention. Specifically, the flow diagram provides a detailed overview of client authentication to an internal corporate network in accordance with one or more embodiments of the invention. Figure 3 depicts five entities involved in the authentication process: a user (220), a virtual private network (VPN) gateway (222), Active Directory (224), OTP KDC (226), and one or more internal corporate applications (228) to which the user is ultimately attempting to gain access.
[0039] Initially, the user (220) sends credentials to the VPN gateway (222)
(ST230). Specifically, in one or more embodiments of the invention, the credentials provided by the user (220) are an OTP and a user name. At this initial step, the user may also indicate which internal corporate application the user wishes to access. The VPN gateway then obtains the corporate internal IP address and transmits the IP address to the user (220) (ST232). More specifically, the VPN gateway (222) provides the user with two IP addresses - a local IP address corresponding to the user's internet service provider (ISP), and a second internal network IP address corresponding to the internal corporate network the user is attempting to access.
[0040] At this stage, the VPN gateway (222) sends the OTP and user name provided by the user (220) to the OTP KDC (226) (ST234). The OTP KDC (226) then verifies the OTP and user name and if the user is one that is permitted access to the internal corporate network, the OTP KDC (226) issues a TGT and an inter-domain ticket and transmits the TGT and inter-domain ticket to the VPN gateway (222) (ST 236). The VPN gateway (222) subsequently caches the TGT and inter-domain ticket granted by the OTP KDC (226) in a local cache (238). The TGT issued by the OTP KDC (226) may be associated with a duration of time, e.g., a few days, a week, etc., and may be cached by the VPN gateway until the TGT duration expires. Next, the corporate application (228) to which the user requested access issues an authentication request (ST240). The authentication request is sent to the VPN gateway (222), and indicates to the VPN gateway (222) that the internal corporate application (228) requires a service ticket for access to the application to be granted to a permitted user. In one or more embodiments of the invention, the authentication request is issued by the internal corporate application (228) via a known protocol.
[0041] Continuing with Figure 3, the VPN gateway (222) may transmit the cached TGT and inter-domain ticket, along with request for a service ticket, to the Active Directory (224) server (ST242). Those skilled in the art will appreciate that the server from which a service ticket is requested by the VPN gateway (222) may be a Kerberos-compliant server other than Active Directory. For example, the server may be an MIT Kerberos server. Active Directory (224) subsequently returns a service ticket in response to the request transmitted by the VPN gateway (222) (ST244). The service ticket may also be associated with a duration, typically eight hours, although the duration of the service ticket may be any length of time. When the service ticket is received by the VPN gateway (222), the service ticket may be cached in the local cache (238). Finally, the service ticket is sent by the VPN gateway (222) to the internal network application that the user desires to access (ST246), and access to the internal corporate application is granted to the user (ST248).
[0042] Those skilled in the art will appreciate that a single service ticket only permits a user to access the originally requested corporate application. For each additional corporate application the user wishes to access, a separate and distinct service ticket may be issued by the system described in the present invention.
[0043] Thus, in the above-described process, the user only has to provide credentials once to gain access to a corporate network and applications executing on the corporate network. Thus, embodiments of the invention provide a single sign-on experience for the user. That is, once the user sends an OTP and a user name to the VPN gateway, the remainder of the process to authenticate the user is transparent to the user. Furthermore, in one or more embodiments of the invention, the present invention provides integrated remote access. Specifically, a user needs to carry only one hand-held device (e.g., a smart card capable of providing an OTP, an OTP generating device, etc.) to obtain inter-domain level authentication and to gain access to an internal corporate network. Those skilled in the art will appreciate that the user may carry more than one device if the user desires. For example, the user may carry both an OTP generating device and a smart card.
[0044] The invention may be implemented on virtually any type of computing device regardless of the platform being used. For example, as shown in Figure
4, a computer system (300) includes a processor (302), associated memory
(304), a storage device (306), and numerous other elements and functionalities typical of today's computers (not shown). The computer (300) may also include input means, such as a keyboard (308) and a mouse (310), and output means, such as a monitor (312). The computer system (300) is connected to a local area network (LAN) or a wide area network (e.g., the Internet) (not shown) via a network interface connection (not shown). Those skilled in the art will appreciate that these input and output means may take other forms.
[0045] Further, those skilled in the art will appreciate that one or more elements of the aforementioned computer system (300) may be located at a remote location and connected to the other elements over a network. Further, the invention may be implemented on a distributed system having a plurality of nodes, where each portion of the invention (e.g., the client, the open-source KDC Kerberos server, the validation server, etc.) may be located on a different node within the distributed system. In one embodiment of the invention, the node corresponds to a computer system. Alternatively, the node may correspond to a processor with associated physical memory. The node may alternatively correspond to a processor with shared memory and/or resources. Further, software instructions to perform embodiments of the invention may be stored on a computer readable medium such as a compact disc (CD), a diskette, a tape, a file, or any other computer readable storage device.
[0046] Embodiments of the invention provide a method and system for using a one time password (OTP) as an alternate type of credential for client log on and authentication to an internal corporate network. Advantageously, using embodiments of the present invention, a user is not required to keep track of passwords or perform password maintenance to obtain access to a corporate server from a remote location. The OTP may be used as an alternative to certificate authentication, for example. Because OTPs are smaller in size than smart card certificates, they are ideally suited for high-latency network authentication and for remote access. Thus, by leveraging OTPs in an authentication framework, as embodiments of the present invention describe, the time required for authentication of a user that may be in a remote location or seeking to log into a terminal server in a remote location is greatly reduced. In addition, embodiments of the invention provide a method of leveraging one time password authentication with existing corporate structures that do not provide any native flexible authentication mechanisms, and thereby do not support different types of authentication credentials. For example, the Active Directory Windows infrastructure does not support one time password or any other authentication credential.
[0047] Using the method of the present invention, a user can employ smart card log on and an OTP to authenticate to a corporate environment via the Kerberos protocol. Further, embodiments of the invention support smart card log on for a user, while improving the time required to authenticate using smart card authentication with respect to remote services. Moreover, embodiments of the invention go beyond network-level authentication to provide domain-level authentication, such that a user presenting the right set of credentials can access resources which require domain-level credentials in addition to the network- level access.
[0048] While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this disclosure, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as disclosed herein. Accordingly, the scope of the invention should be limited only by the attached claims.

Claims

CLAIMSWhat is claimed is:
1. A system for client authentication using a one time password (OTP), comprising: a client configured to request access to an application executing on an internal corporate network, and transmit the OTP and a user name associated with a user to an OTP keys distribution center (KDC), wherein the OTP is used to authenticate the user to the internal corporate network; and the OTP KDC configured to receive the OTP from the client, and issue an inter-domain key and a ticket-granting-ticket (TGT) to the client upon validation of the OTP, wherein the inter-domain key and the TGT are used to authenticate the client and grant access to the application.
2. The system of claim 1 , wherein the client is one selected from a group consisting of a local corporate machine, a handheld device, a computer, a kiosk, and a remote terminal server.
3. The system of claim 2, wherein the user is a remote user on an external network, and wherein the remote user, using the client, is authenticated to the application hosted by the corporate server via a single sign-on experience.
4. The system of claim 1 , wherein the client comprises an authenticating entity modified to support OTP authentication, wherein the authenticating entity obtains the OTP from the user.
5. The system of claim 1 , wherein the OTP is generated using one selected from a group consisting of a smart card, an OTP token, and a display card.
6. The system of claim 1 , wherein the client is further configured to request access to resources and services associated with a corporate server.
7. The system of claim 1 , further comprising: a validation server operatively connected to the OTP KDC and configured to validate the OTP received from the client.
8. The system of claim 1, wherein the client is located in a first domain and the OTP KDC is located in a second domain.
9. The system of claim 8, wherein the inter-domain key is used to verify that trust is established between the first domain and the second domain.
10. The system of claim 1, further comprising: a local keys distribution center (KDC) configured to issue a service ticket to the client, wherein the service ticket is a short-term ticket used to establish communication between the client and a corporate server executing the application.
11. The system of claim 10, wherein the TGT is encrypted using the inter-domain key, and wherein the local KDC is further configured to decrypt the TGT using the inter-domain key.
12. The system of claim 10, wherein the TGT is a long-term ticket used to obtain the service ticket from the local KDC.
13. The system of claim 1, wherein the OTP is a randomized password generated using a mathematical algorithm and a previous password.
14. The system of claim 1, wherein the user is an employee of a corporation associated with the internal corporate network, and wherein the internal corporate network is located in a third domain.
15. The system of claim 1, wherein the local KDC and the OTP KDC are Kerberos servers.
16. A method for client authentication using a one time password (OTP), comprising: receiving the OTP from a client, wherein the OTP is used to authenticate a user to the internal coiporate network; validating the OTP; issuing an inter-domain key and a ticket- granting- ticket (TGT) to the client upon validation of the OTP; requesting a service ticket using the TGT and the inter-domain key; and establishing communication with a corporate server executing an application on the internal corporate network using the service ticket.
17. The method of claim 16, further comprising: caching the TGT5 the inter-domain key, and the service ticket.
18. The method of claim 16, wherein the client is one selected from a group consisting of a local corporate machine, a handheld device, a computer, a third-party kiosk, and a remote terminal server.
19. The method of claim 18, wherein the user is a remote user on an external network, and wherein the remote user, using the client, is authenticated to the application hosted by the corporate server via a single sign-on experience.
20. The method of claim 16, wherein the client comprises an authenticating entity modified to support OTP authentication, wherein the authenticating entity obtains the OTP from the user.
21. The method of claim 16, wherein the OTP from the client is received in a second domain, and wherein the inter-domain key is used to verify that trust is established between the first domain and the second domain.
22. The method of claim 16, wherein the TGT is encrypted using the inter-domain key, and wherein a local keys distribution center (KDC) is configured to decrypt the TGT using the inter-domain key.
23. A computer system, comprising: a processor; a memory; a storage device; and software instruction stored in the memory for enabling the computer system under control of the processor to: receive the OTP from a client, wherein the OTP is used to authenticate a user to the internal corporate network; validate the OTP; issue an inter-domain key and a ticket- granting-ticket (TGT) to the client upon validation of the OTP; request a service ticket using the TGT and the inter-domain key; and establish communication with a corporate server executing an application on the internal corporate network using the service ticket.
24. A method for client authentication using an authentication credential, comprising: receiving the authentication credential associated with a user from a client, the authentication credential is used to authenticate the user to the internal corporate network; validating the authentication credential; issuing an inter-domain key and a ticket-granting-ticket (TGT) to the client upon validation of the authentication credential; requesting a service ticket using the TGT and the inter-domain key; and establishing communication with a corporate server executing an application on the internal corporate network using the service ticket.
25. The method of claim 24, wherein the authentication credential is one selected from a group consisting of a one-time password (OTP) and a biometric authentication credential.
PCT/US2007/078544 2006-09-14 2007-09-14 Method and system for one time password based authentication and integrated remote access Ceased WO2008034090A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US84460106P 2006-09-14 2006-09-14
US60/844,601 2006-09-14
US11/855,017 2007-09-13
US11/855,017 US20080072303A1 (en) 2006-09-14 2007-09-13 Method and system for one time password based authentication and integrated remote access

Publications (1)

Publication Number Publication Date
WO2008034090A1 true WO2008034090A1 (en) 2008-03-20

Family

ID=38973128

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2007/078544 Ceased WO2008034090A1 (en) 2006-09-14 2007-09-14 Method and system for one time password based authentication and integrated remote access

Country Status (2)

Country Link
US (1) US20080072303A1 (en)
WO (1) WO2008034090A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101800987A (en) * 2010-02-10 2010-08-11 中兴通讯股份有限公司 Intelligent card authentication device and method
EP2904759A4 (en) * 2013-01-08 2016-06-08 Univ Bar Ilan METHOD FOR PROVIDING SECURITY USING SECURE CALCULATION
EP3160176A1 (en) * 2015-10-19 2017-04-26 Vodafone GmbH Using a service of a mobile packet core network without having a sim card
US9659165B2 (en) 2011-09-06 2017-05-23 Crimson Corporation Method and apparatus for accessing corporate data from a mobile device

Families Citing this family (210)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7343413B2 (en) 2000-03-21 2008-03-11 F5 Networks, Inc. Method and system for optimizing a network by independently scaling control segments and data flow
US8380854B2 (en) 2000-03-21 2013-02-19 F5 Networks, Inc. Simplified method for processing multiple connections from the same client
US7526798B2 (en) * 2002-10-31 2009-04-28 International Business Machines Corporation System and method for credential delegation using identity assertion
US8516566B2 (en) * 2007-10-25 2013-08-20 Apple Inc. Systems and methods for using external authentication service for Kerberos pre-authentication
US8397077B2 (en) * 2007-12-07 2013-03-12 Pistolstar, Inc. Client side authentication redirection
US8549298B2 (en) * 2008-02-29 2013-10-01 Microsoft Corporation Secure online service provider communication
US8402522B1 (en) 2008-04-17 2013-03-19 Morgan Stanley System and method for managing services and jobs running under production IDs without exposing passwords for the production IDs to humans
US8756660B2 (en) * 2008-04-17 2014-06-17 Microsoft Corporation Enabling two-factor authentication for terminal services
US8806053B1 (en) 2008-04-29 2014-08-12 F5 Networks, Inc. Methods and systems for optimizing network traffic using preemptive acknowledgment signals
US8522326B2 (en) 2008-05-30 2013-08-27 Motorola Mobility Llc System and method for authenticating a smart card using an authentication token transmitted to a smart card reader
TWI366376B (en) * 2008-06-11 2012-06-11 Chunghwa Telecom Co Ltd System and method identity verification applicable to exclusive simulation network
US8468587B2 (en) * 2008-09-26 2013-06-18 Microsoft Corporation Binding activation of network-enabled devices to web-based services
US8868961B1 (en) 2009-11-06 2014-10-21 F5 Networks, Inc. Methods for acquiring hyper transport timing and devices thereof
US10721269B1 (en) 2009-11-06 2020-07-21 F5 Networks, Inc. Methods and system for returning requests with javascript for clients before passing a request to a server
US8412928B1 (en) * 2010-03-31 2013-04-02 Emc Corporation One-time password authentication employing local testing of candidate passwords from one-time password server
US9141625B1 (en) 2010-06-22 2015-09-22 F5 Networks, Inc. Methods for preserving flow state during virtual machine migration and devices thereof
US10015286B1 (en) * 2010-06-23 2018-07-03 F5 Networks, Inc. System and method for proxying HTTP single sign on across network domains
US8347100B1 (en) 2010-07-14 2013-01-01 F5 Networks, Inc. Methods for DNSSEC proxying and deployment amelioration and systems thereof
US9083760B1 (en) 2010-08-09 2015-07-14 F5 Networks, Inc. Dynamic cloning and reservation of detached idle connections
US8886981B1 (en) 2010-09-15 2014-11-11 F5 Networks, Inc. Systems and methods for idle driven scheduling
WO2012058643A2 (en) 2010-10-29 2012-05-03 F5 Networks, Inc. System and method for on the fly protocol conversion in obtaining policy enforcement information
US8806040B2 (en) * 2010-12-06 2014-08-12 Red Hat, Inc. Accessing external network via proxy server
US10135831B2 (en) 2011-01-28 2018-11-20 F5 Networks, Inc. System and method for combining an access control system with a traffic management system
US9276929B2 (en) * 2013-03-15 2016-03-01 Salesforce.Com, Inc. Method and apparatus for multi-domain authentication
US8863257B2 (en) * 2011-03-10 2014-10-14 Red Hat, Inc. Securely connecting virtual machines in a public cloud to corporate resource
KR101243101B1 (en) 2011-04-28 2013-03-13 이형우 Voice one-time password based user authentication method and system on smart phone
US9246819B1 (en) 2011-06-20 2016-01-26 F5 Networks, Inc. System and method for performing message-based load balancing
US9270766B2 (en) 2011-12-30 2016-02-23 F5 Networks, Inc. Methods for identifying network traffic characteristics to correlate and manage one or more subsequent flows and devices thereof
US10230566B1 (en) 2012-02-17 2019-03-12 F5 Networks, Inc. Methods for dynamically constructing a service principal name and devices thereof
US9231879B1 (en) 2012-02-20 2016-01-05 F5 Networks, Inc. Methods for policy-based network traffic queue management and devices thereof
US9172753B1 (en) 2012-02-20 2015-10-27 F5 Networks, Inc. Methods for optimizing HTTP header based authentication and devices thereof
US9367678B2 (en) 2012-02-29 2016-06-14 Red Hat, Inc. Password authentication
US8955086B2 (en) * 2012-03-16 2015-02-10 Red Hat, Inc. Offline authentication
US10097616B2 (en) 2012-04-27 2018-10-09 F5 Networks, Inc. Methods for optimizing service of content requests and devices thereof
GB201217084D0 (en) * 2012-09-25 2012-11-07 Uni I Oslo Network security
KR101310043B1 (en) 2013-01-04 2013-09-17 이형우 Voice one-time password based user authentication method on smart phone
US10375155B1 (en) 2013-02-19 2019-08-06 F5 Networks, Inc. System and method for achieving hardware acceleration for asymmetric flow connections
EP2984782B1 (en) * 2013-04-12 2018-09-05 Nec Corporation Method and system for accessing device by a user
EP3019992B1 (en) * 2013-07-08 2020-04-29 Assa Abloy AB One-time-password generated on reader device using key read from personal security device
US10187317B1 (en) 2013-11-15 2019-01-22 F5 Networks, Inc. Methods for traffic rate control and devices thereof
US9973488B1 (en) * 2013-12-04 2018-05-15 Amazon Technologies, Inc. Authentication in a multi-tenant environment
US10129243B2 (en) * 2013-12-27 2018-11-13 Avaya Inc. Controlling access to traversal using relays around network address translation (TURN) servers using trusted single-use credentials
US10015143B1 (en) 2014-06-05 2018-07-03 F5 Networks, Inc. Methods for securing one or more license entitlement grants and devices thereof
US11838851B1 (en) 2014-07-15 2023-12-05 F5, Inc. Methods for managing L7 traffic classification and devices thereof
US10122630B1 (en) 2014-08-15 2018-11-06 F5 Networks, Inc. Methods for network traffic presteering and devices thereof
US10243949B2 (en) * 2014-09-17 2019-03-26 Heart Forever Co., Ltd. Connection system and connection method
US10182013B1 (en) 2014-12-01 2019-01-15 F5 Networks, Inc. Methods for managing progressive image delivery and devices thereof
US11895138B1 (en) 2015-02-02 2024-02-06 F5, Inc. Methods for improving web scanner accuracy and devices thereof
WO2016126052A2 (en) * 2015-02-06 2016-08-11 (주)이스톰 Authentication method and system
US10834065B1 (en) 2015-03-31 2020-11-10 F5 Networks, Inc. Methods for SSL protected NTLM re-authentication and devices thereof
US11350254B1 (en) 2015-05-05 2022-05-31 F5, Inc. Methods for enforcing compliance policies and devices thereof
US10505818B1 (en) 2015-05-05 2019-12-10 F5 Networks. Inc. Methods for analyzing and load balancing based on server health and devices thereof
US10944738B2 (en) * 2015-06-15 2021-03-09 Airwatch, Llc. Single sign-on for managed mobile devices using kerberos
US10171447B2 (en) 2015-06-15 2019-01-01 Airwatch Llc Single sign-on for unmanaged mobile devices
US11057364B2 (en) 2015-06-15 2021-07-06 Airwatch Llc Single sign-on for managed mobile devices
US10812464B2 (en) 2015-06-15 2020-10-20 Airwatch Llc Single sign-on for managed mobile devices
US9769157B2 (en) 2015-09-21 2017-09-19 American Express Travel Related Services Company, Inc. Systems and methods for secure one-time password validation
US11757946B1 (en) 2015-12-22 2023-09-12 F5, Inc. Methods for analyzing network traffic and enforcing network policies and devices thereof
US10404698B1 (en) 2016-01-15 2019-09-03 F5 Networks, Inc. Methods for adaptive organization of web application access points in webtops and devices thereof
US10797888B1 (en) 2016-01-20 2020-10-06 F5 Networks, Inc. Methods for secured SCEP enrollment for client devices and devices thereof
US12464021B1 (en) 2016-01-20 2025-11-04 F5, Inc. Methods for providing secure access using preemptive measures and devices thereof
US11178150B1 (en) 2016-01-20 2021-11-16 F5 Networks, Inc. Methods for enforcing access control list based on managed application and devices thereof
US10791088B1 (en) 2016-06-17 2020-09-29 F5 Networks, Inc. Methods for disaggregating subscribers via DHCP address translation and devices thereof
US11063758B1 (en) 2016-11-01 2021-07-13 F5 Networks, Inc. Methods for facilitating cipher selection and devices thereof
US10505792B1 (en) 2016-11-02 2019-12-10 F5 Networks, Inc. Methods for facilitating network traffic analytics and devices thereof
US11315114B2 (en) 2016-12-28 2022-04-26 Capital One Services, Llc Dynamic transaction card protected by multi-factor authentication
US10771453B2 (en) * 2017-01-04 2020-09-08 Cisco Technology, Inc. User-to-user information (UUI) carrying security token in pre-call authentication
US10812266B1 (en) 2017-03-17 2020-10-20 F5 Networks, Inc. Methods for managing security tokens based on security violations and devices thereof
US10972453B1 (en) 2017-05-03 2021-04-06 F5 Networks, Inc. Methods for token refreshment based on single sign-on (SSO) for federated identity environments and devices thereof
US11122042B1 (en) 2017-05-12 2021-09-14 F5 Networks, Inc. Methods for dynamically managing user access control and devices thereof
US11343237B1 (en) 2017-05-12 2022-05-24 F5, Inc. Methods for managing a federated identity environment using security and access control data and devices thereof
US11122083B1 (en) 2017-09-08 2021-09-14 F5 Networks, Inc. Methods for managing network connections based on DNS data and network policies and devices thereof
US11012495B1 (en) * 2018-01-09 2021-05-18 EMC IP Holding Company LLC Remote service credentials for establishing remote sessions with managed devices
CN110620750A (en) * 2018-06-20 2019-12-27 宁德师范学院 Network security verification method of distributed system
US10546444B2 (en) 2018-06-21 2020-01-28 Capital One Services, Llc Systems and methods for secure read-only authentication
US11044200B1 (en) 2018-07-06 2021-06-22 F5 Networks, Inc. Methods for service stitching using a packet header and devices thereof
US11216806B2 (en) 2018-09-19 2022-01-04 Capital One Services, Llc Systems and methods for providing card interactions
US10771253B2 (en) 2018-10-02 2020-09-08 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
WO2020072670A1 (en) 2018-10-02 2020-04-09 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
WO2020072687A1 (en) 2018-10-02 2020-04-09 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10579998B1 (en) 2018-10-02 2020-03-03 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10771254B2 (en) 2018-10-02 2020-09-08 Capital One Services, Llc Systems and methods for email-based card activation
WO2020072440A1 (en) 2018-10-02 2020-04-09 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10909527B2 (en) 2018-10-02 2021-02-02 Capital One Services, Llc Systems and methods for performing a reissue of a contactless card
US10542036B1 (en) 2018-10-02 2020-01-21 Capital One Services, Llc Systems and methods for signaling an attack on contactless cards
CA3115142A1 (en) 2018-10-02 2020-04-09 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10748138B2 (en) 2018-10-02 2020-08-18 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
CA3115252A1 (en) 2018-10-02 2020-04-09 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10581611B1 (en) 2018-10-02 2020-03-03 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10733645B2 (en) 2018-10-02 2020-08-04 Capital One Services, Llc Systems and methods for establishing identity for order pick up
US10592710B1 (en) 2018-10-02 2020-03-17 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10565587B1 (en) 2018-10-02 2020-02-18 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
CA3114753A1 (en) 2018-10-02 2020-04-09 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
JP2022511281A (en) 2018-10-02 2022-01-31 キャピタル・ワン・サービシーズ・リミテッド・ライアビリティ・カンパニー Systems and methods for cryptographic authentication of non-contact cards
US10582386B1 (en) 2018-10-02 2020-03-03 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
JP2022502901A (en) 2018-10-02 2022-01-11 キャピタル・ワン・サービシーズ・リミテッド・ライアビリティ・カンパニーCapital One Services, LLC Systems and methods for cryptographic authentication of non-contact cards
US10489781B1 (en) 2018-10-02 2019-11-26 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
CA3115107A1 (en) 2018-10-02 2020-04-09 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10949520B2 (en) 2018-10-02 2021-03-16 Capital One Services, Llc Systems and methods for cross coupling risk analytics and one-time-passcodes
US10554411B1 (en) 2018-10-02 2020-02-04 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10505738B1 (en) 2018-10-02 2019-12-10 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10686603B2 (en) 2018-10-02 2020-06-16 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11210664B2 (en) 2018-10-02 2021-12-28 Capital One Services, Llc Systems and methods for amplifying the strength of cryptographic algorithms
US10511443B1 (en) 2018-10-02 2019-12-17 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
KR102840730B1 (en) 2018-10-02 2025-07-30 캐피탈 원 서비시즈, 엘엘씨 System and method for cryptographic authentication of contactless cards
KR20250105679A (en) 2018-10-02 2025-07-08 캐피탈 원 서비시즈, 엘엘씨 System and methods for cryptographic authentication of contactless card
US10607214B1 (en) 2018-10-02 2020-03-31 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10664830B1 (en) 2018-12-18 2020-05-26 Capital One Services, Llc Devices and methods for selective contactless communication
US11361302B2 (en) 2019-01-11 2022-06-14 Capital One Services, Llc Systems and methods for touch screen interface interaction using a card overlay
US11037136B2 (en) 2019-01-24 2021-06-15 Capital One Services, Llc Tap to autofill card data
US10510074B1 (en) 2019-02-01 2019-12-17 Capital One Services, Llc One-tap payment using a contactless card
US10467622B1 (en) 2019-02-01 2019-11-05 Capital One Services, Llc Using on-demand applications to generate virtual numbers for a contactless card to securely autofill forms
US11120453B2 (en) 2019-02-01 2021-09-14 Capital One Services, Llc Tap card to securely generate card data to copy to clipboard
US10425129B1 (en) 2019-02-27 2019-09-24 Capital One Services, Llc Techniques to reduce power consumption in near field communication systems
US10523708B1 (en) 2019-03-18 2019-12-31 Capital One Services, Llc System and method for second factor authentication of customer support calls
US10984416B2 (en) 2019-03-20 2021-04-20 Capital One Services, Llc NFC mobile currency transfer
US10643420B1 (en) 2019-03-20 2020-05-05 Capital One Services, Llc Contextual tapping engine
US10438437B1 (en) 2019-03-20 2019-10-08 Capital One Services, Llc Tap to copy data to clipboard via NFC
US10535062B1 (en) 2019-03-20 2020-01-14 Capital One Services, Llc Using a contactless card to securely share personal data stored in a blockchain
US10970712B2 (en) 2019-03-21 2021-04-06 Capital One Services, Llc Delegated administration of permissions using a contactless card
US10467445B1 (en) 2019-03-28 2019-11-05 Capital One Services, Llc Devices and methods for contactless card alignment with a foldable mobile device
US11521262B2 (en) 2019-05-28 2022-12-06 Capital One Services, Llc NFC enhanced augmented reality information overlays
US10516447B1 (en) 2019-06-17 2019-12-24 Capital One Services, Llc Dynamic power levels in NFC card communications
US11436340B2 (en) * 2019-06-24 2022-09-06 Bank Of America Corporation Encrypted device identification stream generator for secure interaction authentication
US11694187B2 (en) 2019-07-03 2023-07-04 Capital One Services, Llc Constraining transactional capabilities for contactless cards
US10871958B1 (en) 2019-07-03 2020-12-22 Capital One Services, Llc Techniques to perform applet programming
US11392933B2 (en) 2019-07-03 2022-07-19 Capital One Services, Llc Systems and methods for providing online and hybridcard interactions
US12086852B2 (en) 2019-07-08 2024-09-10 Capital One Services, Llc Authenticating voice transactions with payment card
US10713649B1 (en) 2019-07-09 2020-07-14 Capital One Services, Llc System and method enabling mobile near-field communication to update display on a payment card
US10498401B1 (en) 2019-07-15 2019-12-03 Capital One Services, Llc System and method for guiding card positioning using phone sensors
US10885514B1 (en) 2019-07-15 2021-01-05 Capital One Services, Llc System and method for using image data to trigger contactless card transactions
US10733601B1 (en) 2019-07-17 2020-08-04 Capital One Services, Llc Body area network facilitated authentication or payment authorization
US11182771B2 (en) 2019-07-17 2021-11-23 Capital One Services, Llc System for value loading onto in-vehicle device
US10832271B1 (en) 2019-07-17 2020-11-10 Capital One Services, Llc Verified reviews using a contactless card
US11521213B2 (en) 2019-07-18 2022-12-06 Capital One Services, Llc Continuous authentication for digital services based on contactless card positioning
US10506426B1 (en) 2019-07-19 2019-12-10 Capital One Services, Llc Techniques for call authentication
US10541995B1 (en) 2019-07-23 2020-01-21 Capital One Services, Llc First factor contactless card authentication system and method
US10701560B1 (en) 2019-10-02 2020-06-30 Capital One Services, Llc Client device authentication using contactless legacy magnetic stripe data
US11595369B2 (en) * 2019-11-08 2023-02-28 Seagate Technology Llc Promoting system authentication to the edge of a cloud computing network
US10885410B1 (en) 2019-12-23 2021-01-05 Capital One Services, Llc Generating barcodes utilizing cryptographic techniques
US10657754B1 (en) 2019-12-23 2020-05-19 Capital One Services, Llc Contactless card and personal identification system
US11615395B2 (en) 2019-12-23 2023-03-28 Capital One Services, Llc Authentication for third party digital wallet provisioning
US11651361B2 (en) 2019-12-23 2023-05-16 Capital One Services, Llc Secure authentication based on passport data stored in a contactless card
US10733283B1 (en) 2019-12-23 2020-08-04 Capital One Services, Llc Secure password generation and management using NFC and contactless smart cards
US11113685B2 (en) 2019-12-23 2021-09-07 Capital One Services, Llc Card issuing with restricted virtual numbers
US10862540B1 (en) 2019-12-23 2020-12-08 Capital One Services, Llc Method for mapping NFC field strength and location on mobile devices
US10664941B1 (en) 2019-12-24 2020-05-26 Capital One Services, Llc Steganographic image encoding of biometric template information on a card
US10853795B1 (en) 2019-12-24 2020-12-01 Capital One Services, Llc Secure authentication based on identity data stored in a contactless card
US11200563B2 (en) 2019-12-24 2021-12-14 Capital One Services, Llc Account registration using a contactless card
US10757574B1 (en) 2019-12-26 2020-08-25 Capital One Services, Llc Multi-factor authentication providing a credential via a contactless card for secure messaging
US10909544B1 (en) 2019-12-26 2021-02-02 Capital One Services, Llc Accessing and utilizing multiple loyalty point accounts
US11038688B1 (en) 2019-12-30 2021-06-15 Capital One Services, Llc Techniques to control applets for contactless cards
US11455620B2 (en) 2019-12-31 2022-09-27 Capital One Services, Llc Tapping a contactless card to a computing device to provision a virtual number
US10860914B1 (en) 2019-12-31 2020-12-08 Capital One Services, Llc Contactless card and method of assembly
US11210656B2 (en) 2020-04-13 2021-12-28 Capital One Services, Llc Determining specific terms for contactless card activation
US10915888B1 (en) 2020-04-30 2021-02-09 Capital One Services, Llc Contactless card with multiple rotating security keys
US11823175B2 (en) 2020-04-30 2023-11-21 Capital One Services, Llc Intelligent card unlock
US11030339B1 (en) 2020-04-30 2021-06-08 Capital One Services, Llc Systems and methods for data access control of personal user data using a short-range transceiver
US11222342B2 (en) 2020-04-30 2022-01-11 Capital One Services, Llc Accurate images in graphical user interfaces to enable data transfer
US10861006B1 (en) 2020-04-30 2020-12-08 Capital One Services, Llc Systems and methods for data access control using a short-range transceiver
US10963865B1 (en) 2020-05-12 2021-03-30 Capital One Services, Llc Augmented reality card activation experience
US11063979B1 (en) 2020-05-18 2021-07-13 Capital One Services, Llc Enabling communications between applications in a mobile operating system
US11100511B1 (en) 2020-05-18 2021-08-24 Capital One Services, Llc Application-based point of sale system in mobile operating systems
US11062098B1 (en) 2020-08-11 2021-07-13 Capital One Services, Llc Augmented reality information display and interaction via NFC based authentication
US12165149B2 (en) 2020-08-12 2024-12-10 Capital One Services, Llc Systems and methods for user verification via short-range transceiver
US11777941B2 (en) * 2020-09-30 2023-10-03 Mideye Ab Methods and authentication server for authentication of users requesting access to a restricted data resource using authorized approvers
US11482312B2 (en) 2020-10-30 2022-10-25 Capital One Services, Llc Secure verification of medical status using a contactless card
US11165586B1 (en) 2020-10-30 2021-11-02 Capital One Services, Llc Call center web-based authentication using a contactless card
US11373169B2 (en) 2020-11-03 2022-06-28 Capital One Services, Llc Web-based activation of contactless cards
US11216799B1 (en) 2021-01-04 2022-01-04 Capital One Services, Llc Secure generation of one-time passcodes using a contactless card
US11682012B2 (en) 2021-01-27 2023-06-20 Capital One Services, Llc Contactless delivery systems and methods
US11562358B2 (en) 2021-01-28 2023-01-24 Capital One Services, Llc Systems and methods for near field contactless card communication and cryptographic authentication
US11792001B2 (en) 2021-01-28 2023-10-17 Capital One Services, Llc Systems and methods for secure reprovisioning
US11687930B2 (en) 2021-01-28 2023-06-27 Capital One Services, Llc Systems and methods for authentication of access tokens
US11438329B2 (en) 2021-01-29 2022-09-06 Capital One Services, Llc Systems and methods for authenticated peer-to-peer data transfer using resource locators
US11777933B2 (en) 2021-02-03 2023-10-03 Capital One Services, Llc URL-based authentication for payment cards
US11637826B2 (en) 2021-02-24 2023-04-25 Capital One Services, Llc Establishing authentication persistence
US12143515B2 (en) 2021-03-26 2024-11-12 Capital One Services, Llc Systems and methods for transaction card-based authentication
US11245438B1 (en) 2021-03-26 2022-02-08 Capital One Services, Llc Network-enabled smart apparatus and systems and methods for activating and provisioning same
US12160419B2 (en) 2021-04-15 2024-12-03 Capital One Services, Llc Authenticated messaging session with contactless card authentication
US11935035B2 (en) 2021-04-20 2024-03-19 Capital One Services, Llc Techniques to utilize resource locators by a contactless card to perform a sequence of operations
US11961089B2 (en) 2021-04-20 2024-04-16 Capital One Services, Llc On-demand applications to extend web services
US12204949B2 (en) 2021-04-21 2025-01-21 EMC IP Holding Company LLC Method and system for managing accelerator pools to perform subportions of portions of workflows
US20220342714A1 (en) * 2021-04-21 2022-10-27 EMC IP Holding Company LLC Method and system for provisioning workflows with dynamic accelerator pools
US11972289B2 (en) 2021-04-21 2024-04-30 EMC IP Holding Company LLC Method and system for provisioning workflows based on locality
US12032993B2 (en) 2021-04-21 2024-07-09 EMC IP Holding Company LLC Generating and managing workflow fingerprints based on provisioning of devices in a device ecosystem
US11902442B2 (en) 2021-04-22 2024-02-13 Capital One Services, Llc Secure management of accounts on display devices using a contactless card
US11354555B1 (en) 2021-05-04 2022-06-07 Capital One Services, Llc Methods, mediums, and systems for applying a display to a transaction card
US12301735B2 (en) 2021-06-18 2025-05-13 Capital One Services, Llc Systems and methods for contactless card communication and multi-device key pair cryptographic authentication
US12335412B2 (en) 2021-06-21 2025-06-17 Capital One Services, Llc Systems and methods for scalable cryptographic authentication of contactless cards
US12041172B2 (en) 2021-06-25 2024-07-16 Capital One Services, Llc Cryptographic authentication to control access to storage devices
US12061682B2 (en) 2021-07-19 2024-08-13 Capital One Services, Llc System and method to perform digital authentication using multiple channels of communication
US12495042B2 (en) 2021-08-16 2025-12-09 Capital One Services, Llc Systems and methods for resetting an authentication counter
US12062258B2 (en) 2021-09-16 2024-08-13 Capital One Services, Llc Use of a payment card to unlock a lock
US12069173B2 (en) 2021-12-15 2024-08-20 Capital One Services, Llc Key recovery based on contactless card authentication
US12166750B2 (en) 2022-02-08 2024-12-10 Capital One Services, Llc Systems and methods for secure access of storage
CN114513781B (en) * 2022-02-11 2024-08-06 青岛民航空管实业发展有限公司 Identity authentication method and data encryption and decryption method for air traffic control intelligent station
US12354077B2 (en) 2022-06-23 2025-07-08 Capital One Services, Llc Mobile web browser authentication and checkout using a contactless card
US12354104B2 (en) 2022-08-09 2025-07-08 Capital One Services, Llc Methods and arrangements for proof of purchase
US12289396B2 (en) 2022-08-18 2025-04-29 Capital One Services, Llc Parallel secret salt generation and authentication for encrypted communication
US12489747B2 (en) 2022-11-18 2025-12-02 Capital One Services, LLC. Systems and techniques to perform verification operations with wireless communication
US12147983B2 (en) 2023-01-13 2024-11-19 Capital One Services, Llc Systems and methods for multi-factor authentication using device tracking and identity verification
US12248832B2 (en) 2023-03-07 2025-03-11 Capital One Services, Llc Systems and methods for steganographic image encoding and identity verification using same
US12335256B2 (en) 2023-03-08 2025-06-17 Capital One Services, Llc Systems and methods for device binding authentication
US12248928B2 (en) 2023-03-13 2025-03-11 Capital One Services, Llc Systems and methods of secure merchant payment over messaging platform using a contactless card
US12124903B2 (en) 2023-03-16 2024-10-22 Capital One Services, Llc Card with a time-sensitive element and systems and methods for implementing the same
US12299672B2 (en) 2023-03-30 2025-05-13 Capital One Services, Llc System and method for authentication with transaction cards
US12499432B2 (en) 2023-04-06 2025-12-16 Capital One Services, Llc Techniques to perform operations with a contactless card when in the presence of a trusted device
US12200135B2 (en) 2023-06-13 2025-01-14 Capital One Services, Llc Contactless card-based authentication via web-browser
US20250267004A1 (en) * 2024-02-19 2025-08-21 Wells Fargo Bank, N.A. Two factor authentication devices with accessibility features

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020078243A1 (en) * 2000-12-15 2002-06-20 International Business Machines Corporation Method and apparatus for time synchronization in a network data processing system
US20020150253A1 (en) * 2001-04-12 2002-10-17 Brezak John E. Methods and arrangements for protecting information in forwarded authentication messages
US7243370B2 (en) * 2001-06-14 2007-07-10 Microsoft Corporation Method and system for integrating security mechanisms into session initiation protocol request messages for client-proxy authentication
US7185359B2 (en) * 2001-12-21 2007-02-27 Microsoft Corporation Authentication and authorization across autonomous network systems
US7818792B2 (en) * 2002-02-04 2010-10-19 General Instrument Corporation Method and system for providing third party authentication of authorization
US20040098615A1 (en) * 2002-11-16 2004-05-20 Mowers David R. Mapping from a single sign-in service to a directory service
US20050108575A1 (en) * 2003-11-18 2005-05-19 Yung Chong M. Apparatus, system, and method for faciliating authenticated communication between authentication realms
US20060059344A1 (en) * 2004-09-10 2006-03-16 Nokia Corporation Service authentication
US7571311B2 (en) * 2005-04-01 2009-08-04 Microsoft Corporation Scheme for sub-realms within an authentication protocol
US7757275B2 (en) * 2005-06-15 2010-07-13 Microsoft Corporation One time password integration with Kerberos
US7540022B2 (en) * 2005-06-30 2009-05-26 Nokia Corporation Using one-time passwords with single sign-on authentication
KR20070032885A (en) * 2005-09-20 2007-03-23 엘지전자 주식회사 Security system and method of ubiquitous network
WO2007089503A2 (en) * 2006-01-26 2007-08-09 Imprivata, Inc. Systems and methods for multi-factor authentication

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"Windows 2000 Kerberos Authentication", WINDOWS 2000 KERBEROS AUTHENTICATION WHITE PAPER, XX, XX, July 1999 (1999-07-01), pages 1 - 46, XP002291163 *
AUYONG K ET AL: "AUTHENTICATION SERVICES FOR COMPUTER NETWORKS AND ELECTRONIC MESSAGING SYSTEMS", OPERATING SYSTEMS REVIEW, ACM, NEW YORK, NY, US, vol. 31, no. 3, July 1997 (1997-07-01), pages 3 - 15, XP000739146, ISSN: 0163-5980 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101800987A (en) * 2010-02-10 2010-08-11 中兴通讯股份有限公司 Intelligent card authentication device and method
WO2011097843A1 (en) * 2010-02-10 2011-08-18 中兴通讯股份有限公司 Smart card authentication device and method
US9491166B2 (en) 2010-02-10 2016-11-08 Zte Corporation Apparatus and method for authenticating smart card
US9659165B2 (en) 2011-09-06 2017-05-23 Crimson Corporation Method and apparatus for accessing corporate data from a mobile device
EP2904759A4 (en) * 2013-01-08 2016-06-08 Univ Bar Ilan METHOD FOR PROVIDING SECURITY USING SECURE CALCULATION
US9960919B2 (en) 2013-01-08 2018-05-01 Bar-Ilan University Method for providing security using secure computation
EP3160176A1 (en) * 2015-10-19 2017-04-26 Vodafone GmbH Using a service of a mobile packet core network without having a sim card
US10805473B2 (en) 2015-10-19 2020-10-13 Vodafone Gmbh Triggering a usage of a service of a mobile packet core network

Also Published As

Publication number Publication date
US20080072303A1 (en) 2008-03-20

Similar Documents

Publication Publication Date Title
US20080072303A1 (en) Method and system for one time password based authentication and integrated remote access
KR101459802B1 (en) Delegation of authentication based on re-verification of encryption credentials
US8997196B2 (en) Flexible end-point compliance and strong authentication for distributed hybrid enterprises
US7246230B2 (en) Single sign-on over the internet using public-key cryptography
EP4264880B1 (en) Integration of legacy authentication with cloud-based authentication
CN102638454B (en) A plug-in single sign-on integration method for HTTP authentication protocol
US8955072B2 (en) Single sign on for a remote user session
US20080320566A1 (en) Device provisioning and domain join emulation over non-secured networks
US20080028453A1 (en) Identity and access management framework
US20050177730A1 (en) System and method for authentication via a single sign-on server
CN102047709A (en) Trusted device-specific authentication
TW201507430A (en) Authentication and authorization with a bundled token
US7757275B2 (en) One time password integration with Kerberos
US11750597B2 (en) Unattended authentication in HTTP using time-based one-time passwords
JP6792647B2 (en) Virtual smart card with auditing capability
JP5177505B2 (en) Intra-group service authorization method using single sign-on, intra-group service providing system using the method, and each server constituting the intra-group service providing system
US8326996B2 (en) Method and apparatus for establishing multiple sessions between a database and a middle-tier client
US20230064529A1 (en) User controlled identity provisioning for software applications
Milenković et al. Using Kerberos protocol for single sign-on in identity management systems
US10015286B1 (en) System and method for proxying HTTP single sign on across network domains
Fugkeaw et al. A robust single sign-on model based on multi-agent system and PKI
Nenadic et al. FAME: Adding multi-level authentication to shibboleth
AU2007101199A4 (en) Method of adding two-factor authentication support to a username and password authentication system
Bhagwat et al. Single Sign on for Secure Authentication of Web Services using Kerberos
Teraiya et al. Survey on Security Framework for Single Sign On in cloud for SaaS application

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07842540

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07842540

Country of ref document: EP

Kind code of ref document: A1